| OLD | NEW |
|---|
| 1 // Copyright 2017 The LUCI Authors. | 1 // Copyright 2017 The LUCI Authors. |
| 2 // | 2 // |
| 3 // Licensed under the Apache License, Version 2.0 (the "License"); | 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 // you may not use this file except in compliance with the License. | 4 // you may not use this file except in compliance with the License. |
| 5 // You may obtain a copy of the License at | 5 // You may obtain a copy of the License at |
| 6 // | 6 // |
| 7 // http://www.apache.org/licenses/LICENSE-2.0 | 7 // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 // | 8 // |
| 9 // Unless required by applicable law or agreed to in writing, software | 9 // Unless required by applicable law or agreed to in writing, software |
| 10 // distributed under the License is distributed on an "AS IS" BASIS, | 10 // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 // See the License for the specific language governing permissions and | 12 // See the License for the specific language governing permissions and |
| 13 // limitations under the License. | 13 // limitations under the License. |
| 14 | 14 |
| 15 package serviceaccounts | 15 package serviceaccounts |
| 16 | 16 |
| 17 import ( | 17 import ( |
| 18 "sort" | 18 "sort" |
| 19 "testing" | 19 "testing" |
| 20 | 20 |
| 21 "github.com/golang/protobuf/proto" | 21 "github.com/golang/protobuf/proto" |
| 22 "golang.org/x/net/context" |
| 22 | 23 |
| 24 "github.com/luci/luci-go/server/auth" |
| 25 "github.com/luci/luci-go/server/auth/authtest" |
| 23 "github.com/luci/luci-go/tokenserver/api/admin/v1" | 26 "github.com/luci/luci-go/tokenserver/api/admin/v1" |
| 24 "github.com/luci/luci-go/tokenserver/appengine/impl/utils/policy" | 27 "github.com/luci/luci-go/tokenserver/appengine/impl/utils/policy" |
| 25 | 28 |
| 29 . "github.com/luci/luci-go/common/testing/assertions" |
| 26 . "github.com/smartystreets/goconvey/convey" | 30 . "github.com/smartystreets/goconvey/convey" |
| 27 ) | 31 ) |
| 28 | 32 |
| 33 const fakeConfig = ` |
| 34 rules { |
| 35 name: "rule 1" |
| 36 owner: "developer@example.com" |
| 37 service_account: "abc@robots.com" |
| 38 service_account: "def@robots.com" |
| 39 allowed_scope: "https://www.googleapis.com/scope1" |
| 40 allowed_scope: "https://www.googleapis.com/scope2" |
| 41 end_user: "user:enduser@example.com" |
| 42 end_user: "group:enduser-group" |
| 43 proxy: "user:proxy@example.com" |
| 44 proxy: "group:proxy-group" |
| 45 } |
| 46 rules { |
| 47 name: "rule 2" |
| 48 service_account: "xyz@robots.com" |
| 49 }` |
| 50 |
| 29 func TestRules(t *testing.T) { | 51 func TestRules(t *testing.T) { |
| 30 t.Parallel() | 52 t.Parallel() |
| 31 | 53 |
| 32 Convey("Loads", t, func() { | 54 Convey("Loads", t, func() { |
| 33 » » cfg, err := loadConfig(` | 55 » » cfg, err := loadConfig(fakeConfig) |
| 34 » » » rules { | |
| 35 » » » » name: "rule 1" | |
| 36 » » » » owner: "developer@example.com" | |
| 37 » » » » service_account: "abc@robots.com" | |
| 38 » » » » service_account: "def@robots.com" | |
| 39 » » » » allowed_scope: "https://www.googleapis.com/scope
1" | |
| 40 » » » » allowed_scope: "https://www.googleapis.com/scope
2" | |
| 41 » » » » end_user: "user:abc@example.com" | |
| 42 » » » » end_user: "group:enduser-group" | |
| 43 » » » » proxy: "user:proxy@example.com" | |
| 44 » » » » proxy: "group:proxy-group" | |
| 45 » » » } | |
| 46 » » » rules { | |
| 47 » » » » name: "rule 2" | |
| 48 » » » » service_account: "xyz@robots.com" | |
| 49 » » » } | |
| 50 » » `) | |
| 51 So(err, ShouldBeNil) | 56 So(err, ShouldBeNil) |
| 52 So(cfg, ShouldNotBeNil) | 57 So(cfg, ShouldNotBeNil) |
| 53 | 58 |
| 54 rule := cfg.Rule("abc@robots.com") | 59 rule := cfg.Rule("abc@robots.com") |
| 55 So(rule, ShouldNotBeNil) | 60 So(rule, ShouldNotBeNil) |
| 56 So(rule.Rule.Name, ShouldEqual, "rule 1") | 61 So(rule.Rule.Name, ShouldEqual, "rule 1") |
| 57 | 62 |
| 58 scopes := rule.AllowedScopes.ToSlice() | 63 scopes := rule.AllowedScopes.ToSlice() |
| 59 sort.Strings(scopes) | 64 sort.Strings(scopes) |
| 60 So(scopes, ShouldResemble, []string{ | 65 So(scopes, ShouldResemble, []string{ |
| 61 "https://www.googleapis.com/scope1", | 66 "https://www.googleapis.com/scope1", |
| 62 "https://www.googleapis.com/scope2", | 67 "https://www.googleapis.com/scope2", |
| 63 }) | 68 }) |
| 64 | 69 |
| 65 So(rule.EndUsers.ToStrings(), ShouldResemble, []string{ | 70 So(rule.EndUsers.ToStrings(), ShouldResemble, []string{ |
| 66 "group:enduser-group", | 71 "group:enduser-group", |
| 67 » » » "user:abc@example.com", | 72 » » » "user:enduser@example.com", |
| 68 }) | 73 }) |
| 69 So(rule.Proxies.ToStrings(), ShouldResemble, []string{ | 74 So(rule.Proxies.ToStrings(), ShouldResemble, []string{ |
| 70 "group:proxy-group", | 75 "group:proxy-group", |
| 71 "user:proxy@example.com", | 76 "user:proxy@example.com", |
| 72 }) | 77 }) |
| 73 So(rule.Rule.MaxGrantValidityDuration, ShouldEqual, 24*3600) | 78 So(rule.Rule.MaxGrantValidityDuration, ShouldEqual, 24*3600) |
| 74 | 79 |
| 75 So(cfg.Rule("def@robots.com").Rule.Name, ShouldEqual, "rule 1") | 80 So(cfg.Rule("def@robots.com").Rule.Name, ShouldEqual, "rule 1") |
| 76 So(cfg.Rule("xyz@robots.com").Rule.Name, ShouldEqual, "rule 2") | 81 So(cfg.Rule("xyz@robots.com").Rule.Name, ShouldEqual, "rule 2") |
| 77 So(cfg.Rule("unknown@robots.com"), ShouldBeNil) | 82 So(cfg.Rule("unknown@robots.com"), ShouldBeNil) |
| 78 }) | 83 }) |
| 84 |
| 85 Convey("Check works", t, func() { |
| 86 cfg, err := loadConfig(fakeConfig) |
| 87 So(err, ShouldBeNil) |
| 88 So(cfg, ShouldNotBeNil) |
| 89 |
| 90 // Need an auth state for group membership checks to work. |
| 91 ctx := auth.WithState(context.Background(), &authtest.FakeState{ |
| 92 Identity: "user:unused@example.com", |
| 93 }) |
| 94 |
| 95 Convey("Happy path", func() { |
| 96 r, err := cfg.Check(ctx, &RulesQuery{ |
| 97 ServiceAccount: "abc@robots.com", |
| 98 Proxy: "user:proxy@example.com", |
| 99 EndUser: "user:enduser@example.com", |
| 100 }) |
| 101 So(err, ShouldBeNil) |
| 102 So(r.Rule.Name, ShouldEqual, "rule 1") |
| 103 }) |
| 104 |
| 105 Convey("Unknown service account", func() { |
| 106 _, err := cfg.Check(ctx, &RulesQuery{ |
| 107 ServiceAccount: "unknown@robots.com", |
| 108 Proxy: "user:proxy@example.com", |
| 109 EndUser: "user:enduser@example.com", |
| 110 }) |
| 111 So(err, ShouldBeRPCPermissionDenied, "unknown service ac
count or not enough permissions to use it") |
| 112 }) |
| 113 |
| 114 Convey("Unauthorized proxy", func() { |
| 115 _, err := cfg.Check(ctx, &RulesQuery{ |
| 116 ServiceAccount: "abc@robots.com", |
| 117 Proxy: "user:unknown@example.com", |
| 118 EndUser: "user:enduser@example.com", |
| 119 }) |
| 120 So(err, ShouldBeRPCPermissionDenied, "unknown service ac
count or not enough permissions to use it") |
| 121 }) |
| 122 |
| 123 Convey("Unauthorized end user", func() { |
| 124 _, err := cfg.Check(ctx, &RulesQuery{ |
| 125 ServiceAccount: "abc@robots.com", |
| 126 Proxy: "user:proxy@example.com", |
| 127 EndUser: "user:unknown@example.com", |
| 128 }) |
| 129 So(err, ShouldBeRPCPermissionDenied, |
| 130 `per rule "rule 1" the user "user:unknown@exampl
e.com" is not authorized to use the service account "abc@robots.com"`) |
| 131 }) |
| 132 }) |
| 79 } | 133 } |
| 80 | 134 |
| 81 func loadConfig(text string) (*Rules, error) { | 135 func loadConfig(text string) (*Rules, error) { |
| 82 cfg := &admin.ServiceAccountsPermissions{} | 136 cfg := &admin.ServiceAccountsPermissions{} |
| 83 err := proto.UnmarshalText(text, cfg) | 137 err := proto.UnmarshalText(text, cfg) |
| 84 if err != nil { | 138 if err != nil { |
| 85 return nil, err | 139 return nil, err |
| 86 } | 140 } |
| 87 rules, err := prepareRules(policy.ConfigBundle{serviceAccountsCfg: cfg},
"fake-revision") | 141 rules, err := prepareRules(policy.ConfigBundle{serviceAccountsCfg: cfg},
"fake-revision") |
| 88 if err != nil { | 142 if err != nil { |
| 89 return nil, err | 143 return nil, err |
| 90 } | 144 } |
| 91 return rules.(*Rules), nil | 145 return rules.(*Rules), nil |
| 92 } | 146 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2993763002:
tokenserver: Extract rules check into a separate function. (Closed)
